Koozali.org formerly Contribs.org

Sending email securely

Offline brianr

  • *
  • 838
Sending email securely
« on: June 11, 2018, 05:38:24 PM »
Apologies if this is a silly or easy question, but I am struggling to see through the implications.

Email is sent to the receiving server using port 25. Is this "plain" SMTP.  As it does not involve a login and password, then I guess it is not as insecure, but of course the contents are sent "en plain".

Are there circumstances in which the SMEServer will send using a secure protocol? Does it ask the receiving mail server what protocols it might support? If not can we force it to do so in some way?

Cheers  Brian
Brian j Read
(retired, but still looking after 5 SME installations)
.........

Offline Jean-Philippe Pialasse

  • *
  • 1,160
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Sending email securely
« Reply #1 on: June 11, 2018, 09:04:36 PM »
simple and short answer : no

Log answer search for smtp tls outgoing on this forum. As far As I remember there would be a patch for qmail to allow this, but there is no way to make sure the server is the right one, so encryption fails the purpose of privacy, as you could sent your mail to a third server which will be able to read the plain text email. Also you never know if this is the final mail server or if another hop will occur with or without encryption of the transaction.

the real solution if you want privacy is not at server level but rather at user level use  either S/MIME or openpgp encryption of mail content.

You can get free 1 year S/MIME cert, or buy a plan for your corporation. If you want encryption you need that both end have already exchange their public key by exchanging signed email without encryption.

 

Offline brianr

  • *
  • 838
Brian j Read
(retired, but still looking after 5 SME installations)
.........

Online ReetP

  • *
  • 1,273
Re: Sending email securely
« Reply #3 on: June 12, 2018, 09:25:32 PM »
This is relevant:

https://forums.contribs.org/index.php/topic,53229.msg275855.html#msg275855

Also take on board Charlie and Daniels comments.

The point is, as I made, that the only way you can currently guarantee secure end to end encryption is as JPP suggested.

Yup, people are welcome to contribute patches to the SME mail server, but they won't give you the security you want. It's an illusion, and therefore potentially dangerous. Less experienced users may be fooled into thinking that mail is completely secure because their server is.

Until every server on the planet has it you are chasing ghosts.

If you feel GDPR compels you to send encrypted mail then you'll have to use PGP or S/MIME. There is simply no other choice if you want a cast iron guarantee.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Jean-Philippe Pialasse

  • *
  • 1,160
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Sending email securely
« Reply #4 on: June 12, 2018, 10:48:42 PM »
Also take on board Charlie and Daniels comments.

The point is, as I made, that the only way you can currently guarantee secure end to end encryption is as JPP suggested.

Yup, people are welcome to contribute patches to the SME mail server, but they won't give you the security you want. It's an illusion, and therefore potentially dangerous. Less experienced users may be fooled into thinking that mail is completely secure because their server is.

Until every server on the planet has it you are chasing ghosts.
well to be precise, until there will be not a signle server accepting  a non TLS connection AND there is a way to check the authenticity of the server as we can with certificates and https.
Even if all server only accept TLS, the way it is design does not prevent a server to intercept your communication and says it is the right smtp using its own self signed certificate.



If you feel GDPR compels you to send encrypted mail then you'll have to use PGP or S/MIME. There is simply no other choice if you want a cast iron guarantee.
or use an internal message system used only on an https connection on your own website. This is the way most revenue agencies and government agencies proceed.

Online ReetP

  • *
  • 1,273
Re: Sending email securely
« Reply #5 on: June 12, 2018, 11:03:43 PM »
well to be precise, until there will be not a signle server accepting  a non TLS connection AND there is a way to check the authenticity of the server as we can with certificates and https.
Even if all server only accept TLS, the way it is design does not prevent a server to intercept your communication and says it is the right smtp using its own self signed certificate.

Indeed. I was trying to KISS cos I can't do complex :-)

Quote
or use an internal message system used only on an https connection on your own website. This is the way most revenue agencies and government agencies proceed.

Exactly what we do for our internal stuff - rocketchat. Doesn't get round dealing with customers though, although I could set up an open public chat forum for them I guess.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online ReetP

  • *
  • 1,273
Re: Sending email securely
« Reply #6 on: June 12, 2018, 11:23:08 PM »
PS

Please note I am NOT against getting it to work, and everyone across the planet should have been forced to do this years ago.

The fact is that hasn't happened. Connections are insecure, and PGP etc is a pain in the butt to setup and use.

As a result, encrypted instant messaging systems are most likely going to kick a lot of email into touch. They are end to end encrypted already, handle attachments, and can do most of what email already can, securely.

As a good friend of mine said the other day, the so called 'Generation Z', the follow on to the 'Millennials', barely know how to use email. 'If you want me, message me. I never check my email'. They rarely bother with logging on to websites (the main place where an email address is really required) - if it hasn't got an app, forget it.

If they hadn't been forced to use an email address when setting up their iPhone/Android, I'd take a shot at saying they probably never would.

That is the way of the future. Email didn't move on. It will go the way of the dinosaur, given a helping hand by Ed Snowden, GDPR etc etc etc.

My only objection to moving that way is the comprehensive rape and pillage of address books by some large actors. Hence say Continental have apparently recently banned their workers from using Whatsapp.

I give my number to you, but I don't give permission for Facebook/Google etc to take it from you, but they take it anyway.

A customer gives me their number for business use. Facebook/Google etc have no right to take it from me, especially as the client has not approved it, but they take it anyway.

That is a situation that badly needs resolving, and soon. However, I think GDPR may well push that change along, and possibly sooner rather than later.

Anyways, onwards and upwards !
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Online ReetP

  • *
  • 1,273
Re: Sending email securely
« Reply #7 on: June 17, 2018, 10:12:47 AM »
Entertainingly...

https://twitter.com/MarshallCohen/status/1007667538786963456?s=19

Because you cannot guarantee end to end security :-)
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline Knuddi

  • *
  • 521
    • http://www.smeoptimizer.com
Re: Sending email securely
« Reply #8 on: Today at 10:03:10 AM »
Even though TLS support in qmail will not guarantee secure communication between the sending server and the destination, it will add yet another layer of security. There is not guarantee in anything when it comes to IT security - we simply just add layer by layer. Therefore it does make good sense to get this patch added to the SME server.

On top of this it would be quite simple to create mail policies that rejects sending mails to a destination if TLS cannot be established - if really sophisticated this could be configurable by destination domain.  Again I understand that you cannot be 100% sure its not just an intermediary hub, but its better than nothing a free text as the SME sends now....

Lastly, the young generation might not be using emai as much as we do - but its far from dead (https://www.emailisnotdead.com/).

Offline Jean-Philippe Pialasse

  • *
  • 1,160
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: Sending email securely
« Reply #9 on: Today at 03:57:10 PM »
Lastly, the young generation might not be using emai as much as we do - but its far from dead (https://www.emailisnotdead.com/).

well IM is not new, and email is still there.

ICQ is dead or almost.
MSN messenger was so popular and is dead.
Skype was on the edge before M$ bought it, I see no one using it now, FB messenger, Hangout, Viber, Telegram ... are emerging and getting more popular. What I see is rather they steal user from SMS rather than from emails